by Richard Fowler, CISA, CIA, CFE
“Auditing Cloud Computing: A Security and Privacy Guide”, edited by Ben Halpert, CISSP, is a tremendous resource for auditors, security professionals, privacy officers and IT executives who need to understand the risks and mitigation strategies for an effective cloud computing solution. The chapters are written by leading professionals in IT, audit, security and management and cover progressively more detail and complexity so the reader builds on knowledge and the basics are not repeated. The editing provides a consistent style and tone throughout the book, making for smooth transitions from chapter to chapter.
While the title focuses on auditing, the information provided in each chapter addresses topics that are pertinent to nonauditors, particularly security managers and business executives who are interested in an objective, vendor-independent overview of cloud computing risks and benefits. The information can also benefit cloud providers, particularly from the information on customer and auditor expectations.
The first chapter is “Introduction to Cloud Computing” and covers the basics quite well, from describing infrastructure as a service (IaaS), platform as a service
(PaaS) and software as a service (SaaS) to the differences between public, private and hybrid clouds to the concepts of data residency and multitenancy. The chapter does not address some of the newer cloud functions, such as monitoring as a service (MaaS) or communication as a service (CaaS), although one can figure out how these fit into the mix based on the rest of the chapter contents. This chapter also starts introducing some of the risks that needs to be addressed, such as data regulations based on where the data is located, other cloud users adversely impacting performance or availability of the cloud, and unedited audit logs with multiple companies’ information recorded.
The second chapter covers the “Cloud-Based IT Audit Process” and addresses requirements for auditing in general as well as additional risks that should be considered when planning and conducting an audit.
These include data no longer residing entirely within a trusted environment; potential security risks for internal applications that are not tested for Internet vulnerabilities; and identity management concerns when the local Active Directory (or other centrally controlled service model) is not used. This chapter also introduces the reader to a number of organizations that are addressing cloud security and compliance programs. Some of these are familiar to auditors and IT professionals, such as NIST and
ISACA. Other groups may not be as familiar, but can be considered as a resource for additional information on audit concerns, risk assessments and compliance issues; they include the Cloud Security
Alliance (CSA), the FedRamp program, and the European Network & Information Security Agency
(ENISA) Cloud Risk Assessment.

Chapter 3 addresses “Cloud-Based IT Governance” and addresses several of the key risks identified by the CSA. It then covers a governance framework that may be used to assist organizations in meeting these threats. The framework described is from the IT Governance Institute and ISACA, but here it is focused on the key aspects of governance of cloud services and risks. There is no discussion of other IT governance frameworks that could equivalently be used, such as ISO 38500, King III (South African standard) or Calder-Moir (UK standard), but auditors familiar with these other standards can follow the same outline as presented in this chapter.
The fourth chapter addresses the lifecycle management aspects of the cloud, and how an organization’s
SDLC processes can be maintained or supported by a cloud provider. The key concepts of process handoffs, responsibilities and risk management are covered, and several examples are provided to address typical lifecycle processes such as disaster recovery. Various frameworks for lifecycle management are also addressed, including COBIT, ITIL, NIST, and the CSA’s control matrix. The emphasis placed on governance activities will be quite familiar to auditors and management alike.
Chapter Five covers “Cloud-Based IT Service Delivery and Support” and introduces the concepts singletenant, isolated-tenant and multi-tenant cloud operations. The pros and cons of each architecture type are discussed, and the specific risks associated with multi-tenant platforms (true cloud operations) are addressed in detail, as are the cloud provider responsibilities in establishing this type of platform.
Particularly with regards to Software as a Service (SaaS), this chapter compares granular data element privilege assignments to hierarchical data privileges, inherent transaction visibility to postimplementation event logging, and consistent customization to ad hoc application modifications and notes the positive benefits the cloud infrastructure provides to both customers and providers in these instances.
Perhaps the most important topic to auditors, data security, is covered in Chapter Six, “Protection and
Privacy on Information Assets in the Cloud.” There are three types of cloud users with security concerns: the cloud service consumers, the cloud service providers, and the cloud service regulators.
Their concerns are addressed in a cloud security reference model that includes data at rest and data in motion which the authors refer to as the “Cloud Security Continuum.” Data classification is also covered in some detail, as well as how this practice is key for ensuring data privacy and security in the cloud.
Then the authors segue into how security, privacy and data classification can be used to map compliance coverage for the various regulatory concerns of organizations that might use cloud computing. As is to emphasize that this chapter is critical to many auditors and security professionals, there are many more notes included at the end of this chapter than any other chapter of the book.
Chapter Seven covers aspects of “Business Continuity and Disaster Recovery,” first from a general perspective and then from the cloud perspective, and includes the key distinctions and similarities between these two perspectives. The critical concepts of recovery time objectives and recovery point objectives are clearly described, and there is excellent coverage of the audit tests that should be included in a BCP/DRP review (these points are useful in both a traditional IT environment as well as in the cloud environment). One of the key benefits of cloud computing is, in fact, the ease of business continuity in a distributed and virtual environment – from the cloud consumer’s point of view, that is.
There are a number of additional touch points from the Cloud Security Alliance (CSA) that consumers should be aware of and that the cloud providers should have implemented.
Chapter Eight address “Global Regulation and Cloud Computing” and acknowledges that, since cloud computing is still in the early adoption phase, not all regulatory concerns have been identified. In fact,

there are very few rules promulgated by industries, consumer groups, or legislative bodies that specifically address cloud computing – that will not always be the case! The current regulatory environment for data privacy and security is addressed, and the main security benchmarking groups are identified, which should help the auditor know where to look for additional information on regulatory changes. The chapter also covers how auditors can proactively identify risks and work with the IT and business managers to establish mitigation strategies for those risks.
The final chapter is “Cloud Morphing” and provides some guidance as to what may change in the future with regards to cloud security and cloud auditing. Several resources available from the CSA are discussed, including “CloudAudit 1.0” – an effort to create an API that can be used to gather data about the cloud services, cloud provider, and other key practices advocated by the CSA. Additional discussions are provided for the security and audit of the hypervisor and the virtual machines that make up the cloud. The authors also address cryptography concerns, and note that cloud data almost certainly should be encrypted and that the encryption keys should NOT be stored in the cloud (although they do bring up the concept of a key management cloud, but little detail is provided on how such a process would function and what security would be implemented for the keys).
Finally, the book includes an appendix with an audit checklist for cloud computing, and includes a reference to the key review aspects covered in the various chapters of the book. While this is not itself a risk-based audit program, it does provide sufficient guidance for a risk assessment to be generated and the applicable audit checklist steps could then be performed.
Overall, this book is quite readable and provides significant coverage of audit and security concerns for cloud computing. More and more companies are considering cloud computing, and whether or not they actually move their data, applications and/or processing to the cloud, it is beneficial for auditors and security professionals to be aware of the risks in advance of that move. With the number of cloud providers increasing, particularly those having FedRAMP or NIST 500-291 compliance, the concerns with third-party and vendor data being cloud based will be a concern even if the auditor’s company data is retained onsite.
Auditing Cloud Computing: A Security and Privacy Guide
Edited by Ben Halpert
Published by John Wiley & Sons, Hoboken, NJ
ISBN 978-0-470-87474-5
Richard Fowler, CIA, CISA, CFE, has over 15 years of audit experience in a number of fields and significant previous experience as an engineer and as a computer programmer. He is a Community Facilitator with the American SAP User Group (ASUG), a Topic Leader on the ISACA website, and an active member of the IIA and ACFE. He has made presentations on internal controls and application controls at a number of local and national conferences. He currently works as a Senior Audit Specialist at Huntington Ingalls
Industries in Newport News, Virginia, where he conducts risk assessments and operational, compliance and technology audits.